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AMENDMENTS TO THE CLAIMS 

1 . (Currently Amended) A method of controlling usage of network resources on a communications 
network based on the identity of an authenticated user, the method comprising acts of: 

creating, with a relationship management module, one or more packet rules for use on 
analyzing packets received at one or more network devices of the communications network, each 
rule including a condition and action to be taken as part of providing a service of the 
communications network if a packet received at a device satisfies the condition, wherein the one or 
more packet rules are defined to examine any portion of a packet; 

storing the one or more packet rules in the communications network; 

creating, with the relationship management module, one or more role abstractions, each role 
abstraction representing a role of a user with respect to the communications network, and each role 
abstraction capable of being assigned a set of one or more service abstractions to be provided to the 
user associated with the represented role; 

creating, with the relationship management module, the one or more service abstractions, 
each service abstraction representing a communications network service to be provided to users of 
the communications network, each service abstraction including a named set of one or more of the 
packet rules that, in combination, provide the represented communications network service; 

storing the one or more service abstractions in the communications network; 

storing the one or more role abstractions in the communications network; 

associating, with the relationship management module, the one or more role abstractions 
ser\ice abstractions with the identity of the authenticated user of the communications network; and 

in response to receipt of a packet at any of the network devices from the authenticated user, 
using, by any of the network devices, the one or more service abstractions associated with the 
identity of the authenticated user to control usage of network resources on the communications 
network, the using including applying the packet rules in the one or more service abstractions to the 
packet. 
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2. (Previously Presented) The method of claim 1, further comprising an act of: 

configuring a network device of the communications network with one or more packet rules 
according to at least one of the service abstractions. 

3. (Previously Presented) The method of claim 2, wherein configuring the network device 
comprises: configuring a port module of a switching device of the communications network with 
one or more packet rules according to at least one of the service abstractions. 

4. (Canceled) 

5. (Previously Presented) The method of claim 1, further comprising an act of: 

distributing the one or more service abstractions to one or more network devices residing on 
the communications network. 

6. (Canceled) 

7. (Canceled) 

8. (Currently Amended) The method of claim [[7]] 1, further comprising an act of: 

configuring a network device of the communications network with one or more packet rules 
according to one of the role abstractions. 

9. (Previously Presented) The method of claim 8, wherein configuring the network device with one 
or more packet rules according to one of the role abstractions comprises: configuring a port module 
of a switching device of the communications network with one or more packet rules according to 
one of the role abstractions. 

10. (Canceled) 
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11. (Currently Amended) The method of claim [[7 further comprising an act of: 

distributing the one or more role abstractions to one or more network devices residing on the 
communications network. 

12. (Canceled) 

13. (Currently Amended) A system for enabling a network manager to control usage of network 
resources on a communications network based on the identity of an authenticated user, the system 
comprising: 

a rule editing module enabling the network manager to edit one or more packet rules for use 
on analyzing packets received at one or more devices of the communications network, each rule 
including a condition and action to be taken if a packet received at a device satisfies the condition; 

a service editing module enabling the network manager to edit one or more service 
abstractions, each service abstraction representing a communications network service to be provided 
to users of the communications network, each service abstraction including a named set of one or 
more of the packet rules that, in combination, provide the represented communications network 
service; 

a role editing module enabling the network manager to edit one or more role abstractions, 
each role abstraction representing a role of a user with respect to the conmiunications network, and 
each role abstraction capable of being assigned a set of one or more of the service abstractions 
representing communications network services to be provided to the user associated with the 
represented role; 

a user management module enabling the network manager to associate users of the 
communications network with one or more of the service abstractions; and 
a user management module enabling the network manager to associate the users of the 

communications network with one or more of the role abstractions: and 

storage means for storing one or more of the service abstractions, one or more of the packet 
rules , one or more of the role abstractions or one or more of the associations between tiie users of 
the communications network and one or more of the service r ole abstractions. 
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14. (Original) The system of claim 13, further comprising: logic to configure a network device with 
one or more packet rules according to at least one of the service abstractions. 

15. (Original) The system of claim 14, wherein the logic comprises: port configuration logic to 
configure a port module of a switching device with one or more packet rules according to at least 
one of the service abstractions. 

16. (Canceled) 

17. (Original) The system of claim 13, further comprising: a distribution module to distribute the 
one or more service abstractions to one or more network devices residing on the communications 
network. 

18. (Canceled) 

19. (Canceled) 

20. (Currently Amended) The system of claim [[19 ]] 13, further comprising: logic to configure a 
network device with one or more packet rules according to one of the role abstractions. 

21. (Original) The system of claim 20, wherein the logic comprises: port configuration logic to 
configure a port module of a switching device with one or more packet rules according to one of the 
role abstractions. 

22. (Canceled) 

23. (Currently Amended) The system of claim [[19 ]] 13, further comprising: a distribution module 
to distribute the one or more role abstractions to one or more network devices residing on the 
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communications network. 
Claims 24 -25 (Canceled). 

26. (Currently Amended) A computer program product, comprising: a computer readable medium; 
and non-transitory computer readable signals stored on the computer readable medium that define 
instructions that, as a result of being executed by a computer, instruct the computer to perform a 
process of controlling usage of network resources on a communications network based on the 
identity of an authenticated user, the process comprising acts of: 

creating one or more packet rules for use on analyzing packets received at one or more 
devices of the communication network, each rule including a condition and action to be taken as 
part of providing a service of the communications network if a packet received at a device satisfies 
the condition, wherein the one or more packet rules are defined to examine any portion of a packet; 

storing the one or more packet rules; 

creating one or more service abstractions, each service abstraction representing a 
communications network service to be provided to users of the communications network, each 
service abstraction including a named set of one or more of the packet rules that, in combination, 
provide the represented communications network service; [[and]] 

storing the one or more service abstractions; 

creating one or more role abstractions, each role abstraction representing a role of a user 
with respect to the communications network, and each role abstraction capable of being assigned a 
set of one or more of the service abstractions representing communications network services to be 
provided to the users associated with the represented role; 
storing the one or more role abstractions; and 

associating the one or more role abstractions with the identity of the authenticated user of the 

communications network . 

27. (Currently Amended) A method of controlling usage of network resources on a communications 
network based on the identity of an authenticated user, the method comprising acts of: 
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(a) defining one or more packet rules for use on analyzing packets received at one or more 
devices of the communications network, each mle including a condition and action to be taken if a 
packet received at a device satisfies the condition, wherein the one or more packet rules are defined 
to examine any portion of a packet; 

(b) providing the one or more packet rules; 

(c) defining one or more service abstractions, each service abstraction representing a 
communications network service to be provided to a user of the communications network, each 
service abstraction including a named set of one or more of the packet rules that, in combination, 
provide the represented communications network service; 

(d) providing the one or more services abstractions; 

(e_[[c]]) in response to a user, defining one or more role abstractions associated with an 
authenticated user, each role abstraction representing a role of [[an lithe authenticated user with 
respect to the communications network for controlling usage of network resources on the 
communications network by the authenticated user, and each role abstraction capable of being 
assigned including a set of one or more of the service abstractions packet rules ; [[and]] 

(L[[d]]) providing the one or more role abstractions ; and 

(g) associating the one or more role abstractions with the identity of the authenticated user of 
the communications network . 

28. (Currently Amended) The method of claim 27, further comprising an act of: 

(h_[[e]]) configuring a network device of the communications network with one or more 
packet rules according to one of the role abstractions. 

29. (Currently Amended) The method of claim 28, wherein act (h_[[e]]) comprises: 

configuring a port module of a switching device of the communications network with one or 
more packet rules according to one of the role abstractions. 

30. (Canceled) 
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31. (Currently Amended) The method of claim 27, further comprising an act of: 

QL[[e]]) distributing the one or more role abstractions to one or more network devices 
residing on the communications network. 

32. (Canceled) 

33. (Currently Amended) A system for controlling usage of network resources on a 
communications network based on the identity of an authenticated user, the system comprising: 

a rule editing module to create one or more packet rules for use on analyzing packets 
received at one or more devices of the communications network, each rule including a condition and 
action to be taken if a packet received at a device satisfies the condition, wherein the one or more 
packet rules are defined to examine any portion of a packet; 

a service editing module to create one or more service abstractions, each service abstraction 
representing a communications network service to be provided to users of the communications 
network, each service abstraction including a named set of one or more of the packet rules that, in 
combination, provide the represented communications network service; 

a role editing module to create, in response to a user, one or more role abstractions 
associated with an authenticated user, each role abstraction representing a role of an authenticated 
user with respect to the communications network for controlling usage of network resources on the 
communications network by the authenticated user, and each role abstraction capable of being 
assigned including a set of one or more of the service abstractions; p acket rules; and 

a user management module to associate the one or more role abstractions with the identity of 
the authenticated user of the communications network; and 

storage means for storing the one or more created role abstractions , the one or more created 
service abstractions, or tiie one or more created packet rules. 



34. (Original) The system of claim 33, further comprising: logic to configure a port module of a 
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network device with one or more packet rules according to one of the role abstractions. 

35. (Original) The system of claim 34, wherein the logic comprises: port configuration logic to 
configure a port module of a switching device with one or more packet rules according to one of the 
role abstractions. 

36. (Canceled) 

37. (Original) The system of claim 33, further comprising: a distribution module to distribute the 
one or more role abstractions to one or more network devices residing on the communications 
network. 

Claims 38 -39 (Canceled). 

40. (Currently Amended) A computer program product, comprising: a computer readable medium; 
and non-transitory computer readable signals stored on the computer readable medium that define 
instructions that, as a result of being executed by a computer, instruct the computer to perform a 
process of controlling usage of network resources on a communications network based on the 
identity of an authenticated user, the process comprising acts of: 

(a) creating editing one or more packet rules for use on analyzino packets received at one or 
more devices of the communications network, each mle including a condition and action to be taken 
if a packet received at a device satisfies the condition, wherein the one or more packet rules are 
defined to examine any portion of a packet; 

(b) storing the one or more packet rules; 

(c) editing one or more service abstractions, each service abstraction representing a 

communications network service to be provided to users of the communications network, each 
service abstraction including a named set of one or more of the packet rules that, in combination, 
provide the represented conmiunications network service; 
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([[c]]d) in response to a user, creating editing one or more role abstractions associated with 
an authenticated user, each role abstraction representing a role of an authenticated user with respect 
to the communications network for controlling usage of network resources on the communications 
network by the authenticated user, and each role abstraction capable of being assigned including a 
set of one or more of the service abstractions; one or more packet rules: and 

([[d]]e) storing the one or more role abstractions associating the users of the communications 
network with one or more of the role abstractions: and 

(f) saving the one or more role abstractions and the one or more service abstractions . 

41. (Previously Presented) The method of claim 1, wherein the relationship management module 
comprises any of firmware, electronic circuitry or programmatically generated instructions. 

42. (Previously Presented) A method of controlling usage of network resources on a 
communications network based on the identity of an authenticated user, the method comprising acts 
of: 

creating, with at least one computer, one or more packet rules for analyzing packets received 
at one or more network devices of the communications network, each rule including a condition and 
action to be taken as part of providing a service of the communications network if a packet received 
at a device satisfies the condition, wherein the one or more packet rules are defined to examine any 
portion of a packet; 

storing, with at least one computer, the one or more packet loiles; 

creating, with at least one computer, one or more service abstractions, each service 
abstraction representing a communications network service to be provided to users of the 
communications network, each service abstraction including a named set of one or more of the 
packet rules that, in combination, provide the represented communications network service; 

storing, with at least one computer, the one or more service abstractions; 

associating, by at least one computer and by the one or more service abstractions, with the 
identity of the authenticated user of the communications network; 
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in response to receipt of a packet at any of the network devices from the authenticated user, 
using, by one of the network devices, the one or more service abstractions associated with the 
identity of the authenticated user to control usage of network resources on the communications 
network, the using including applying the packet rules in the one or more service abstractions to the 
packet; and 

creating, with at least one computer, one or more role abstractions, each role abstraction 
representing a role of users with respect to the communications network, and each role abstraction 
including a set of one or more service abstractions representing communications network services to 
be provided to users associated with the represented role, 

and wherein the act of associating one or more service abstractions with the identity of the 
authenticated user includes associating the identity of the authenticated user with one or more of the 
role abstractions. 

43. (Previously Presented) The method of claim 42, further comprising an act of: 

configuring, with at least one computer, a network device of the communications network 
with one or more packet rules according to one of the role abstractions. 

44. (Previously Presented) The method of claim 43, wherein configuring the network device with 
one or more packet rules according to one of the role abstractions comprises: configuring, with at 
least one computer, a port module of a switching device of the communications network with one or 
more packet rules according to one of the role abstractions. 

45. (Previously Presented) The method of claim 42, further comprising an act of: 

distributing, with at least one computer, the one or more role abstractions to one or more 
network devices residing on the communications network. 

46. (Previously Presented) The method of claim 42, wherein the with at least one computer 
comprises any of firmware, electronic circuitry or programmatically generated instructions. 
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47. (Previously Presented) A system for enabling a network manager to control usage of network 
resources on a communications network based on the identity of an authenticated user, the system 
comprising: 

a rule editing module enabling the network manager to edit one or more packet rules for 
analyzing packets received at one or more devices of the communications network, each rule 
including a condition and action to be taken if a packet received at a device satisfies the condition; 

a service editing module enabling the network manager to edit one or more service 
abstractions, each service abstraction representing a communications network service to be provided 
to users of the communications network, each service abstraction including a named set of one or 
more of the packet rules that, in combination, provide the represented communications network 
service; 

a user management module enabling the network manager to associate users of the 
communications network with one or more of the service abstractions; 

storage means for stoiing one or more of the service abstractions, one or more of the packet 
rules or one or more of the associations between users of the communications network and one or 
more of the service abstractions; and 

a role editing module enabling the network manager to edit one or more role abstractions, 
each role abstraction representing a role of users with respect to the communications network, and 
each role abstraction including a set of one or more service abstractions representing 
communications network services to be provided to users associated with the represented role, 

and wherein the user management module further enables the network manager to associate 
users of the communications network with one or more of the role abstractions. 

48. (Previously Presented) The system of claim 47, further comprising: logic to configure a network 
device with one or more packet rules according to one of the role abstractions. 

49. (Previously Presented) The system of claim 48, wherein the logic comprises: port configuration 
logic to configure a port module of a switching device with one or more packet rules according to 
one of the role abstractions. 
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50. (Previously Presented) The system of claim 47, further comprising: a distribution module to 
distribute the one or more role abstractions to one or more network devices residing on the 
communications network. 
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